Apple Leaves Two Obvious Security Weaknesses In Mac OS X El Capitan

Apple launched its latest iteration of Mac OS X today, El Capitan, but along with a host of fresh features there are two key weaknesses that researchers have warned leave users open to password theft and malware infection. Both reside in security tools designed to prevent attacks.

The first problem, due to be detailed by perennial Mac hacker Patrick Wardle at the VB2015 conference tomorrow, allows attackers to completely bypass Apple’s Gatekeeper technology, designed to keep unverified, unsigned code off of Macs. Wardle told FORBES his findings prove Gatekeeper useless in the face of any smart hacker, even where security-minded users have selected to only accept downloads from the vetted Apple App Store.

“Gatekeeper has one job: to block unauthenticated code coming from the internet. We’ve completely bypassed this. To me, Gatekeeper is no obstacle at all,” he added. “It provides some protection against lame adversaries. But I’m sure more advanced attackers have already figured this out.”

Mac OS X El Capitan was released as a free download today. But Apple has left some significant security weaknesses in its new operating system.

Wardle, head of research at bug hunting business Synack, took advantage of a known weakness in Gatekeeper: it only does one check on app bundle downloads and doesn’t carry out further checks when the download is actually launched. This allowed him to create a malicious download that contained a legitimate Apple-signed app and a hidden unsigned malicious file. When the download was launched, the app also ran the unchecked malware in a related file directory without Gatekeeper noticing. "You’d think Gatekeeper would block this secondary execution but it doesn’t as it only does this one time check,” Wardle said. "The bypass I found is very basic, but it’s effective."

Wardle said he didn’t want to reveal the specific Apple-signed file that he used in his attacks as it could put Mac users in danger. The software, he said, is a terminal application that did just what he needed: launched a second unsigned app in its own directory structure and then stopped running. Though his attack would open up a terminal, he found a way to make it invisible to the user by just changing the name of the application.

A target would therefore be unaware of nasty activity happening in the background. According to Wardle, attackers who want to use these methods would likely deliver malware, masquerading as the unsigned file, via tried and tested methods - hiding inside pirated apps or rogue anti-virus products.

Head of research at Synack, Patrick Wardle, says he's found a simple trick to bypass Apple's Gatekeeper.

Earlier this year, the ex-NSA staffer showed off a not dissimilar attack on Mac OS X. In that attack, he relied on Gatekeeper’s inability to check “external dependencies” - the files the operating system loader grabbed outside of the application download when launched. Apple patched that with some extra checks for those dependencies.

His new attack is similar, but rather than the operating system loader accessing potentially harmful files located outside of the core app bundle, the application itself executes external unsigned software.

Apple could add some extra checks so that when the download is launched, the hidden files, which would already have been given a “quarantine” attribute by Apple, would be blocked or the user would at least receive a warning, Wardle added. But he warned there may be some occasions where this would break app functionality.

Wardle said he told Apple about the issue half a year ago, demonstrating it to the tech titan’s security team this summer. He hoped it would be fixed in El Capitan. No such luck, and Apple has not responded to a request for comment.

Keychain weakness lives on, say researchers

The second weakness is an old but unfixed issue reported in June by researchers from Indiana University Bloomington, Peking University and the Georgia Institute of Technology. The weakness resides in the Mac OS X Keychain, which contains authenticating data, including crucial passwords, tokens and keys for apps running on the operating system. The researchers found they could poison the Keychain via an unauthorized application to steal that data. They were also able to delete that information. In their proof of concept, the researchers were able to nab authenticating tokens for iCloud and
Facebook.

According to Luyi Xing, of Indiana University Bloomington, the weakness leaves all passwords in OS X at risk of theft. There is, however, an open source tool, XGuardian, that can protect against the Keychain attack, Xing said. “So if Apple users want to protect themselves before a fix from Apple is finally in place, this app could help,” Xing told FORBES.

"Apple told us that a fix requires a fundamental overhaul of the Keychain infrastructure. This may take a long time." The researchers said they originally disclosed the issues to Apple in October 2014.